Jun 24, 2026 · 6 min read
DentaQuest: ShinyHunters Leak 2.6M Dental Health Records
ShinyHunters published 234 GB of protected health information from the US dental benefits administrator on May 23 after ransom negotiations collapsed, exposing Medicaid IDs, health insurance details, and government IDs for 2.6 million patients.
ShinyHunters published 234 GB of stolen data from DentaQuest on May 23, 2026, after the dental benefits administrator refused to pay ransom. The dump exposed 2.6 million accounts containing protected health information — names, dates of birth, home addresses, phone numbers, email addresses, government issued IDs, health insurance data, and Medicaid IDs. DentaQuest administers dental benefits for 35 million customers across all 50 states, primarily Medicaid and CHIP programs. The 2.6 million affected represent a subset: lower income enrollees whose coverage is managed by state governments.
Key Takeaways
- • ShinyHunters published 234 GB of DentaQuest data on May 23, 2026, after ransom negotiations collapsed.
- • 2.6 million accounts were exposed, including PHI stored in ASC X12 healthcare transaction format alongside Medicaid IDs, dates of birth, and government issued IDs.
- • DentaQuest's mandatory HHS OCR breach notification deadline falls around July 22, 2026 — late filings carry their own civil penalties.
- • ShinyHunters has now breached Charter (42M records), Kodak (2.2M), and the Council of Europe in 2026 alone, establishing a consistent Salesforce and SaaS exfiltration pattern.
What Data Was Exposed?
The stolen files contain a layered mix of PII and PHI that goes well beyond a standard credential dump. ASC X12 is the electronic data interchange format used in US healthcare for eligibility verifications, claims, and enrollment transactions — meaning the exfiltrated files are structured, machine readable, and trivially queryable by anyone who downloads them.
Within those transaction sets, researchers found full legal names and home addresses, dates of birth and gender, email addresses and phone numbers, government issued IDs (driver's licenses, state IDs), health insurance member numbers and plan details, and Medicaid IDs. That combination is more valuable than a standard email and password pair. Medicaid IDs and health insurance numbers enable medical identity theft — filing fraudulent claims under a real beneficiary's coverage. According to analysis by Rescana, approximately 66% of the records appeared in prior breach compilations, raising aggregation risk significantly for affected individuals.
Who Is Affected?
The 2.6 million affected accounts represent a specific slice of DentaQuest's 35 million total member base. BleepingComputer and SecurityWeek confirm the affected population skews toward Medicaid and CHIP beneficiaries — people enrolled through state government programs rather than commercial employer plans.
That demographic context matters operationally. Medicaid enrollees are less likely to have credit monitoring services, less likely to respond quickly to breach notifications, and more likely to have their healthcare identity misused before any fraud is detected. DentaQuest confirmed on June 2, 2026, that it had "unauthorized access to a limited portion of our network" and stated it had contained the incident. The company has not publicly disclosed the initial access vector ShinyHunters used.
What Are the HIPAA Implications?
DentaQuest is a HIPAA covered entity, so the breach triggers mandatory obligations under the HIPAA Breach Notification Rule. Any breach affecting 500 or more individuals must be reported to the HHS Office for Civil Rights within 60 days of discovery. Based on the May 23, 2026 disclosure date, DentaQuest's notification deadline falls around July 22, 2026. As of early June, no filing had appeared in the HHS OCR breach portal — which may constitute a Breach Notification Rule violation if the company discovered the intrusion before the public disclosure.
Per the HIPAA Journal, DentaQuest must also notify each affected individual by first class mail, issue media notices in jurisdictions with 500 or more affected individuals, and notify state Medicaid partners. OCR can impose civil monetary penalties up to $1.9 million per violation category per year. Presense Health paid $475,000 solely for missing the 60 day notification deadline. The DentaQuest case involves PHI for millions of Medicaid beneficiaries — class action investigations are already underway, and parallel state attorney general inquiries across Medicaid partner states are the predictable next step.
The ShinyHunters Pattern in 2026
ShinyHunters is not a new actor, but its 2026 campaign has reached an industrial scale. The same group is responsible for the Kodak breach exposing 2.2 million records, the Council of Europe payroll exposure, and the Charter Communications breach claiming 42 million records — all in the first half of 2026.
The methodology is consistent across targets. ShinyHunters identifies Salesforce or SaaS integrations, uses phishing or vishing to harvest valid credentials or OAuth tokens, exfiltrates bulk data through that legitimate access path, lists the victim on its dark web extortion site with a short deadline, and publishes the data when payment fails. The DentaQuest case fits this pattern closely, though the specific entry vector has not been confirmed publicly.
Why This Breach Is Worse Than a Standard Credential Dump
Most credential leaks expose email addresses and hashed passwords. The DentaQuest data is structurally different: ASC X12 transaction format means the files contain healthcare enrollment transactions — structured data with field labels that map directly to individual people's medical and financial lives. An attacker does not need to do any parsing; the records are already organized by member ID, plan type, and benefit category.
The PHI and PII combination enables at least three distinct downstream attacks: medical identity fraud (billing insurers for services under a real patient's Medicaid ID), insurance phishing (impersonating DentaQuest or state Medicaid offices to harvest additional credentials), and conventional spear phishing with unusually high credibility — since the attacker can reference accurate dental plan details to build trust. The iRhythm breach in June 2026, which exposed 12 million cardiac patients through social engineering, and the DentaQuest breach together suggest healthcare administration systems are the highest return target for extortion groups right now.
What Should Affected People Do?
If you were a DentaQuest dental plan member — particularly through a state Medicaid or CHIP program — assume your data is in the dump until notified otherwise. Five immediate steps:
- Check Have I Been Pwned. The DentaQuest breach is indexed and searchable by email address at haveibeenpwned.com.
- Freeze your credit at all three bureaus. Equifax, Experian, and TransUnion all offer free credit freezes — the most effective barrier to new account fraud using your stolen identity.
- Place fraud alerts with your dental and health insurers. Request that any claims filed under your plan require additional verification before processing.
- Be suspicious of communications claiming to be from DentaQuest or your state Medicaid office. The attacker has your plan details and can impersonate these entities with high credibility.
- Audit your Explanation of Benefits statements. Medical identity theft often goes undetected for months because victims rarely check every EOB line for services they did not receive.
DentaQuest's official breach notification letters are required by law to arrive by July 22, 2026. If you have not received one by then, contact DentaQuest directly to confirm your address on file.